[160895] in North American Network Operators' Group
Re: Endpoint Security and Smartphones
daemon@ATHENA.MIT.EDU (George Herbert)
Tue Feb 19 11:47:02 2013
In-Reply-To: <2A76E400AC84B845AAC35AA19F8E7A5D0E6F94F0@MUNEXBE1.medline.com>
From: George Herbert <george.herbert@gmail.com>
Date: Tue, 19 Feb 2013 08:46:39 -0800
To: "Naslund, Steve" <SNaslund@medline.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Normal apps can usually get the accelerometer data without breaking device s=
ecurity.
So you download the newest cool free Mine Birds or whatnot, and its server u=
pload traffic eventually includes guesses at your passcode along with your g=
ame status...
George William Herbert
Sent from my iPhone
On Feb 19, 2013, at 8:07 AM, "Naslund, Steve" <SNaslund@medline.com> wrote:
> Kind of seems to me that if I am deep enough in your mobile device to get y=
our accelerometer data, I probably can get access to your stored data in the=
device. The only reason I think I would want your passcode would be to phy=
sically steal your device and then try to use it.
>=20
> This is one of those attacks that is probably possible but not practical. =
Interesting blog however.
>=20
> Steven Naslund
>=20
>=20
>=20
> -----Original Message-----
> From: Jay Ashworth [mailto:jra@baylink.com]=20
> Sent: Tuesday, February 19, 2013 9:20 AM
> To: NANOG
> Subject: Endpoint Security and Smartphones
>=20
> Some time back, the FBI was heard to say in public that draw-your-passpatt=
ern security, as seen on Android smartphones and tablets, was too much for t=
hem, at least as long as you kept your screen clean of skin oil. :-)
>=20
> Whether or not that's true, there are apparently ways to attack even that,=
using just the sensors on the platform. Specifically, the accelerometers (=
which are actually usually just angle sensors):
>=20
> http://www.schneier.com/blog/archives/2013/02/guessing_smart.html
>=20
> If you're responsible for security, BTW (and if you're on NANOG, you proba=
bly are), Bruce Schneier should be on your daily bookmark list...
> even if you think he's full of crap.
>=20
> Cheers,
> -- jra
> --=20
> Jay R. Ashworth Baylink jra@baylink=
.com
> Designer The Things I Think RFC 2=
100
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover=
DII
> St Petersburg FL USA #natog +1 727 647 1=
274
>=20
